OLD | NEW |
1 diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c | 1 diff --git a/nss/lib/ssl/ssl3con.c b/nss/lib/ssl/ssl3con.c |
2 index 8b8b758..567d481 100644 | 2 index 8b8b758..25709b2 100644 |
3 --- a/nss/lib/ssl/ssl3con.c | 3 --- a/nss/lib/ssl/ssl3con.c |
4 +++ b/nss/lib/ssl/ssl3con.c | 4 +++ b/nss/lib/ssl/ssl3con.c |
5 @@ -4975,6 +4975,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) | 5 @@ -4975,6 +4975,7 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
6 PRBool isTLS = PR_FALSE; | 6 PRBool isTLS = PR_FALSE; |
7 PRBool requestingResume = PR_FALSE; | 7 PRBool requestingResume = PR_FALSE; |
8 PRInt32 total_exten_len = 0; | 8 PRInt32 total_exten_len = 0; |
9 + unsigned paddingExtensionLen; | 9 + unsigned paddingExtensionLen; |
10 unsigned numCompressionMethods; | 10 unsigned numCompressionMethods; |
11 PRInt32 flags; | 11 PRInt32 flags; |
12 | 12 |
13 @@ -5241,6 +5242,20 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) | 13 @@ -5241,6 +5242,22 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
14 length += 1 + ss->ssl3.hs.cookieLen; | 14 length += 1 + ss->ssl3.hs.cookieLen; |
15 } | 15 } |
16 | 16 |
17 + /* A padding extension may be included to ensure that the record containing | 17 + /* A padding extension may be included to ensure that the record containing |
18 + * the ClientHello doesn't have a length between 256 and 511 bytes | 18 + * the ClientHello doesn't have a length between 256 and 511 bytes |
19 + * (inclusive). Initial, ClientHello records with such lengths trigger bugs | 19 + * (inclusive). Initial, ClientHello records with such lengths trigger bugs |
20 + * in F5 devices. | 20 + * in F5 devices. |
21 + * | 21 + * |
22 + * This is not done for DTLS nor for renegotiation. */ | 22 + * This is not done for DTLS nor for renegotiation. */ |
23 + if (!IS_DTLS(ss) && !ss->firstHsDone) { | 23 + if (!IS_DTLS(ss) && |
| 24 + ss->version > SSL_LIBRARY_VERSION_3_0 && |
| 25 + !ss->firstHsDone) { |
24 + paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length); | 26 + paddingExtensionLen = ssl3_CalculatePaddingExtensionLength(length); |
25 + total_exten_len += paddingExtensionLen; | 27 + total_exten_len += paddingExtensionLen; |
26 + length += paddingExtensionLen; | 28 + length += paddingExtensionLen; |
27 + } else { | 29 + } else { |
28 + paddingExtensionLen = 0; | 30 + paddingExtensionLen = 0; |
29 + } | 31 + } |
30 + | 32 + |
31 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); | 33 rv = ssl3_AppendHandshakeHeader(ss, client_hello, length); |
32 if (rv != SECSuccess) { | 34 if (rv != SECSuccess) { |
33 return rv; /* err set by ssl3_AppendHandshake* */ | 35 return rv; /* err set by ssl3_AppendHandshake* */ |
34 @@ -5360,6 +5375,13 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) | 36 @@ -5360,6 +5377,13 @@ ssl3_SendClientHello(sslSocket *ss, PRBool resending) |
35 return SECFailure; | 37 return SECFailure; |
36 } | 38 } |
37 maxBytes -= extLen; | 39 maxBytes -= extLen; |
38 + | 40 + |
39 + extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes); | 41 + extLen = ssl3_AppendPaddingExtension(ss, paddingExtensionLen, maxBytes); |
40 + if (extLen < 0) { | 42 + if (extLen < 0) { |
41 + return SECFailure; | 43 + return SECFailure; |
42 + } | 44 + } |
43 + maxBytes -= extLen; | 45 + maxBytes -= extLen; |
44 + | 46 + |
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
133 ssl_next_proto_nego_xtn = 13172, | 135 ssl_next_proto_nego_xtn = 13172, |
134 ssl_channel_id_xtn = 30031, | 136 ssl_channel_id_xtn = 30031, |
135 + ssl_padding_xtn = 35655, | 137 + ssl_padding_xtn = 35655, |
136 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ | 138 ssl_renegotiation_info_xtn = 0xff01 /* experimental number */ |
137 } SSLExtensionType; | 139 } SSLExtensionType; |
138 | 140 |
139 -#define SSL_MAX_EXTENSIONS 11 | 141 -#define SSL_MAX_EXTENSIONS 11 |
140 +#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. *
/ | 142 +#define SSL_MAX_EXTENSIONS 11 /* doesn't include ssl_padding_xtn. *
/ |
141 | 143 |
142 #endif /* __sslt_h_ */ | 144 #endif /* __sslt_h_ */ |
OLD | NEW |